Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing – basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection

I’ve been noticing that most of the spam I get (and nearly all that gets through the filters) arrives during the week, not the weekends. Actually, looking at my spam box, it looks like I receive around twice as much on week days than weekend days.

My point being, and I sure there are some good answers: Is spamming a full time job for a lot of spammers, or even a 40 hour a week job? I’d have to say for at least the dedicated ones, it probably is. Or, do they just figure more people check their mail on the weekdays?

Either way, spam sucks.

Metasploit Decloak in back online. Decloak (v2) now identifies the real IP access of a user using a slick combo of “client-side technologies and custom services”. v2 also works regardless of the user’s proxy settings. The only public technology that it cannot get through is a PROPERLY CONFIGURED Tor+Torbutton+Privoxy setup, HDM mentions.

You can read more about it and if you haven’t already, give it a whirl.

Or, social networking, if you prefer.

Let’s face it, the net is social.  The money that went into creating computer networks, and the Internet itself, may have been intended for specific purposes, but as soon it it was there people, being people, were being social.

As soon as the Internet was out of the test-bed (and probably before that), and even before it was known as the Internet, people were using email.  A lot.  For social things.  What are the longest running Usenet “news”groups, and mailing lists of any types?  Lists of jokes and discussions of science fiction.  Social stuff.  (Yeah, the sf geeks are pretty antisocial, by “normal” standards, but for them this stuff is the ultimate in sociability.)

So, what’s new?  Oh, “social” networks have the users generate content?  What do you think mailing lists are?  OK, blogs make it a bit easier to search archives.  But archives of mailing lists have been around for a while, too.  (And this “easier” stuff is highly subjective.  Some blogs can be pretty difficult to plow through in order to find content of interest.)

And what about the Internet itself?  It’s the last word in user created content.  The protocols and programs that run the net were primarily created by individual users, seeing something they wanted to do, and writing something that would do it.  As Dave Clark famously put it, “We believe in: rough consensus and running code.”
Works pretty good, doesn’t it?

This was just too funny not to share. Read carefully and draw your own conclusions, haha.

from    MIKE ROBINSON
reply-to    mike_robinson79@yahoo.com
to
date    Wed, Dec 17, 2008 at 10:23 AM
subject    WINING NOTIFICATION

hide details 10:23 AM (3 hours ago)

Reply

1 MICROSOFT WAY
Redmond, WA 98052.
BL4 4PZ,lONDON.
Ref: BTD/968/08
Batch: 409978E
WINNING NOTIFICATION

This is to inform you that your email has won a consolation prize
of the Microsoft Corporation 2008 EMAIL DRAW.Your email has won
(£500,000.00)&(Great British Pounds)of the microsoft onlinelottery
promotion Your email address as indicated was drawn and attached to
ticket number 008795727498 with serial numbers BTD/9080648302/08 and
drew the lucky numbers 14-21-25-39-40-47(20)To file for your claims,you
are to contact your designated claims agent
Mr.mike robinson of this
email: mike_robinson79@yahoo.com

PAYMENT RELEASE ORDER FORM
Full Names——————-
Gender———————–
Age————————–
Contact Address————–
Occupation——————-
Country———————-
Telephone numbers————
Batch————————
Reference——————–
Microsoft Fiduciary Agent
MR Harry peterson

A not-uncommon phone fraud story from the CBC.  However, I keep telling people:

a) We don’t know enough about phone systems, and unlike most of the breaches we deal with phone fraud costs you real money, right now.

b) When you get hit and take the story to the telcos, the telcos, very profoundly, don’t care.

This junk keeps slipping through gmail’s spam filters and the best I can say about it is ‘useless’.

Anybody else been getting this kind of crap lately?

from    Christoph_Schell@computacenter.com
to    [0][x][j][b][r][o][w][n][4][1]@gmail.com
date    Mon, Dec 15, 2008 at 4:02 PM
subject    Christoph Schell/Kerpen/GECITS-EU is out of the office.
mailed-by    computacenter.com

I will be out of the office starting  11.12.2008 and will not return until
18.12.2008.

I will respond to your message when I return or contact Michael Menen
(Michael.Menen@computacenter.com).

**********************************************************************
COMPUTACENTER PLC is registered in England and Wales with the registered number 03110569.  Its registered office is at Hatfield Business Park, Hatfield Avenue, Hatfield, Hertfordshire AL10 9TW
COMPUTACENTER (UK) Limited is registered in England and Wales with the registered number 01584718.  Its registered office is at Hatfield Business Park, Hatfield Avenue, Hatfield, Hertfordshire AL10 9TW

The contents of this email are intended for the named addressee only.
It contains information which may be confidential and which may also be privileged.
Unless you are the named addressee (or authorised to receive mail for the addressee) you may not copy or use it, or disclose it to anyone else.

If you receive it in error please notify us immediately and then destroy it.

Computacenter information is available from:

http://www.computacenter.com

**********************************************************************

I usually get 5-10 of these about once a month, all in the same hour or two.The most ‘useless’ part about it is that it doesn’t affect me, at all, in any way, neither personally or work related.

The flaw discovered by Dan Kaminsky put a forthright scare into the entire internet community — and it should have. This attack, which is trivial in nature, could make the difference between sending all your private data to the secure server across the ocean, or to a happy hacker filling his/her eye balls with goodies.

But now, since everyone was woken up, there are two mainstream, proposed solutions in hopes of ending the insecurity in DNS: DNSSEC and DNSCurve. Which one should you bet your network’s integrity on? Better hope your patched or you might get bailiwicked. Let the enlightenment begin.

DNSSEC, or Domain Name System Security Extensions, is a suite of IETF specifications for securing certain kinds of information in DNS. Recently, lots of companies have been gearing up to implement DNSSEC, as a means of securing DNS on the Internet. One man, that opposes DNSSEC, has written his own code to provide a nicer, more secure solution, and far better than DNSSEC. He calls it DNSCurve.

DNSCurve uses high-speed, high-security elliptic cryptography to improve and secure DNS. Daniel J. Bernstein, the creator of DNSCurve and many other high security servers such as qmail and djbdns servers, doesn’t want DNSSEC implemented, but DNSCurve instead. And it is no question which one is the better choice after looking at the comparisons Bernstein makes between the two now rivals.

Some huge advantages with DNSCurve vs DNSSEC are encrypting DNS requests and responses, not publishing lists of DNS records, much stronger cryptography for detecting forgeries, (some) protection against denial of service attacks, and other improvements.

There is one quick, unrelated issue that I disagree with Mr. Bernstein about. After offering $500 “to the first person to publish a verifiable security hole in the latest version of qmail”, he states: “My offer still stands. Nobody has found any security holes in qmail”. But in 2005, Georgi Guninski found one and has confirmed exploitability on 64 bit platforms with a lot of memory.

Bernstein denied his claim and then stated “In May 2005, Georgi Guninski claimed that some potential 64-bit portability problems allowed a “remote exploit in qmail-smtpd.” This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail’s assumption that allocated array lengths fit comfortably into 32 bits.”. Now, to me, and I am sure to many other people as well, an exploitable bug in an exploitable bug. Conditions have to sometimes be met and “can be carried too far”, one might put it, but in this case, it is clear that Guninski found at least one exploitable bug in qmail. Game over. No disrespect to Mr. Bernstein or his code; he does have both great code and concepts. On with my main literature.

So, if I were a betting man (and I am), I would gamble on Bernstein’s all around great approach to making DNS safer, more resilient against attacks, and definatly more secure. Hopefully, people will realize money can’t solve all our problems, but the guys that know what they are doing, can, and might just make some things happen pretty soon.

Yeah, brute force attacks on SSH is old news. But now, there is something new and interesting about them! Attackers (How did they get so smart!?) are now using ‘advanced’ techniques to make these attacks even more effective:

“Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.”

OH NO! We all must go and protect our servers now!

Or do any or all of these good practices that decent administrators have known about for years…

1) USE STRONG PASSWORDS! (You can bet attackers will have ‘johndoe’ in their wordlist, but not ’00J0hNND0eEe00$’)
2) Firewall all logins via SSH except for authorized IP addresses
3) Run SSH Server on another port besides 22

Some helpful tips for the helpless. Ho, ho, ho unwise system admins.

Well your favorite website’s, favorite way to see if your human or not has a problem — their ‘protection’ has been ‘broken’. Who knew that asking a user to read and type the contents of a distorted image of text would be so easy for a computer/code to do as well? CAPTCHA’s have never even looked secure to anyone with a open security mind, and those swimming in the unconscious thoughts that some day this ‘protection’ would see its core cracked… well today is your lucky day.

But never fear! There is hope (really..?)! The Carnegie-Mellon University team behind CAPTCHA’s big brother, reCAPTCHA, is for some reason continuing research towards the “effort to mix basic  security and useful work”. While the reCAPTCHA service seems like a step in the right direction, I have my doubts. Actually, I think it won’t be too long until the next article at YOURFAVORITETECHNEWSSITE is about this new ‘improvement’ being ‘broken’. Oh internet, have mercy on the little people, and send your spam bots to wreck havoc on another interNET.

Long ago, my all-time favorite desktop firewall was none other than sygate pro (symantec junkies sought-and-destroyed a while back). I loved all of its seemingly superior and cool features that really just made me feel great about using it on some servers and workstations. But like most other desktop firewalls, sygate is/was windows only. But this article isn’t about just any desktop firewall; it is about Firestarter, the Linux GUI firewall solution.

Firestarter is a nice, sleek, Desktop-safe, open source and server or workstation setting network security solution. Say that 128 times fast! Haha. If you are an administrator or just a savvy Linux Desktop user who wants to feel a little more secure on your network, you’ll probably love Firestarter.

Some of the great features of Firestarter include a graphical user interface to configuring firewall rules and settings, a nice wizard to walk you through it, real-time event monitor to check on intrusion attempts or the like, in and outbound network access policy control, port forwarding, the ability to whitelist and blacklist traffic, viewing network connections, advanced kernel tuning to provide somewhat protection against [flooding, broadcasting, spoofing, typical DoS attacks], and much more!

Firestarter sits atop of iptables and it works quite nicely to control traffic in and out of your workstation or server. I’ll even give you a couple of quick and smile examples. Say you got XYZ Linux running ZYX Desktop system and you want to be able to transfer files (or data) via XZY, but only from a certain IP address. Simply add a rule in Firestarter and watch it work. What if you want to completely (for the boundries of this tool) block access from xx.xxx.xx.xxx? Add a rule to blacklist it on outboard traffic. Volia! Simple firewalling made super easy. I use Firestarter and I absolutely love it. So if you haven’t already tried Firestarter, I recommend you give it a shot! I can’t imagine you being disappointed.

Or, converged communications, if you prefer.

I mean, c’mon.  We’ve had VoIP for a while.  (Before that we had H.323.  Even before that we had Internet telephony, although it didn’t work all that terribly well.)

Of course, from our perspective in security, convergence is a great thing–for job security.  Just think, we can take all the problems we have in networking, and all the problems we have in telephony, and roll them up into one big insecurity.

(Surprise, surprise: bad guys are breaking into home and small office VoIP PBXs and using them to make telemarketing calls.)  (Although don’t get me wrong: I’ve nothing against Asterisk per se, and I’m sure it’s a great system–if well managed.)

Microsoft’s world has been shaken up recently by a new remote command execution exploit for its premier web browser, Internet Explorer.

Quoting a timeline from eEye’s research on this vulnerability makes it this story more interesting:

“11/15/2008 In-The-Wild Exploitation Witnessed By 3rd Party
12/9/2008 Reliable Exploit Code Identified by eEye Research”

The problem is in the code processing XML in Internet Explorer. An attacker can exploit a buffer overflow to execute their own code on the client just by visiting a malicious web page.There are already full exploits for Windows XP and Windows Vista. Apprently, this has been exploited in the wild for some time now. Its too bad that the original bug discoverer didn’t sell his/her code, they probably would have gotten a small fortune (I am talking about totally legitimate agencies, of course).

Also, according to Muts’ Blog, this vulnerability still isn’t patched (Vista updated with latest patches — stated on the blog). Oh Microsoft, we know your good with your Patch Tuesdays and all that stuff, but couldn’t you break down and hand out some emergency patches soon? I mean, should ~50% of the world get owned just in time for Christmas!?

But rapid reader, I bring good news too! Firefox users shouldn’t have a thing to worry about =)

Wait a minute, I thought automation was supposed to involve some measure of intelligence, kinda by definition?

Oh, but it’s a specialized form of automation.

First we have to go way, way back.  Back to the days of random security technologies, when you had all kinds of different security technologies.  And they all had to be managed.  Seperately.

And then, oh joy, someone (either Marcus Ranum or Steve Bellovin, take your pick) invented firewalls!  And we wouldn’t have to manage security anymore!  And there was rejoicing!
Until we figured out that we were going to have to manage the firewalls.

And then someone invented Intrusion Detection Systems!  And there was rejoicing!

Until we figured out that we were going to have to manage the IDS.

And then some marketing department invented IPS.  And by this time, becoming jaded, we were asking questions.  Like, what’s the difference between IDS and IPS.  (Oh, really?  An IPS prevents a packet getting through, rather than just detecting it?  Then what’s the difference between an IPS and a firewall?  Oh, really?  An IPS is more intelligent?  How so?  Well, depends on which marketing department you ask.  That’s what you get for using terms invented by marketing departments …)

But that “intelligent” business seems to have had a bit of magic in it.  We’ve always had network monitoring, of one sort or another.  For a long time we’ve had tools to help us sort through our logs (after all, even IDS is only a form of real-time log analysis).  And people have been trying to sell us all “management” systems, to help with the work of, well, managing all the security bits and pieces.  So why not get a log analysis package, bolt on a few other items (maybe virus scanning or something), and call the whole thing “intelligent”!

Hey, presto!  A new marketing term!

I almost never mistype domain names, so I’m glad firefox was able to catch my error when I did:

(click the image for a larger version)
If you haven’t noticed (I didn’t notice myself in the first 3-4 times; I kept clicking ok and reloading, I thought firefox was acting up) the url is adwords.gogole.com. The good news is that the site is owned by google, so I wouldn’t have been phished in any case. The bad news is that google should have either redirected me to the right site or give me an error message instead of showing me the site with the wrong certificate. I know why they are doing it – it’s easier to do a domain catch-all then a redirect, but it’s not good in terms of user experience.

Firefox’s behavior is interesting too. Note that the warning I got was accompanied with a popup dialog that forced me to press ‘ok’ to get to to a second warning on the page itself.

If you don’t remember the typical error message, here is what anybody surfing more than a day with firefox has seen:

(click the image for a larger version)

This typical firefox warning tries to let me know something is wrong. The problem is, I’m seeing it so much that I’m adding exceptions left-and-right. In this case of the ‘gogole’ typo, the problem is more sever (gogole.com is claiming to be google.com) so I guess firefox decided to add a dialog box to the error. I’m not sure what triggers it and how often it’s displayed, but for me this is the first time seeing it, so my guess is that firefox is trying to keep it for the rare occasion when you need the user to understand the warning has escalated.
I wonder if the next escalation will be a warning siren through the speakers with a small electric shock through the keyboard.

For years now, Zone-H.org has been, primarily, a website that mirrors website defacements. And also over the years, nearly every company, government, or otherwise popular/high-profile server has experienced being hacked. In case your not familiar with how it works, I will tell you about the process.

Basically, an attacker defaces the target website in some way and they submit it to Zone-H. Zone-H verifies the defacement and publishes a mirror. They accept any web accessible site, high-profile or not. Blogs, personal websites, mom and pop websites, even free websites haven’t been spared from attackers. But what has made this act so popular, and really into a popularity contest, is Zone-H’s rigorous mirror system, recording stats and names they use to deface, feeding the crave for attention or otherwise.

If you look where they classify and detail ‘special defacements‘, you can see a lot of the attackers’ bread and butter. LG’s Pakistan website, US/Chinese/Malaysian government websites, even on occasion NASA or military websites are hacked and defaced. Some attackers leave politically motivated messages, other just for fun, such as this one by ‘netb00m’:

“LGE pakistan was way to easy to get into.
Its almost like you guys beg to get hack.
Anyway, cant you guys make phones more like palm?
I mean you guy do make good stuff, but palm is alot nicer. =)”

As long as Zone-H mirrors these defacements, the attacks will never end. There is simply too much motivation, too many chances to look ‘cool’. However true that is, sometimes these guys get in trouble. I wish the best for them, but they could help themselves by growing up a little. It may have been ‘cool’ back in the day to the deface websites, but now, its just another risk to take to prove yourself to people who seem to carry themselves on their sleeves.